The critical Java vulnerability that is currently under attack was made possible by an incomplete patch Oracle developers issued last year to fix an earlier security bug, a researcher said.

The revelation, made Friday by Adam Gowdiak of Poland-based Security Explorations, is the latest black eye for Oracle's Java software framework which is installed on more than 1 billion PCs, smartphones, and other devices. Last year saw a steady stream of attacks that exploited Java vulnerabilities, allowing miscreants to surreptitiously install keyloggers and other malicious software when unwitting people browsed compromised websites. The abuse has already continued into 2013, when on Thursday researchers reported yet another critical bug that is being "massively exploited in the wild".

"Bugs are like mushrooms, in many cases they can be found in a close proximity to those already spotted," Gowdiak wrote. "It looks like Oracle either stopped the picking too early or they are still deep in the woods."

Update: Asked for comment on Gowdiak's comments, an Oracle spokeswoman e-mailed the following statement: "Oracle is aware of a flaw in Java software integrated with web browsers. The flaw is limited to JDK7. It does not exist in other releases of Java, and does not affect Java applications directly installed and running on servers, desktops, laptops, and other devices. A fix will be available shortly."

Exploits of the latest Java vulnerability, which were first observed more than a month ago, are the combination of two bugs. The first involves the Class.forName() method and allows the loading of arbitrary (restricted) classes. The second bug relies on the invokeWithArguments method call and was also a problem with Issue 32 that Oracle purportedly patched in October.

"However, it turns out that the fix was not complete as one can still abuse invokeWithArguments method to setup calls to invokeExact method with a trusted system class as a target method caller," Gowdiak wrote. "This time the call is however done to methods of new Reflection API (from java.lang.invoke.* package), of which many rely on security checks conducted against the caller of the target method."

Developers of the Metasploit framework for hackers and penetration testers have released a module that should exploit the vulnerability on machines running Windows, Apple OS X, and Linux regardless of the browser they're using. The US-CERT, which is affiliated with the Department of Homeland Security, is advising people to disable Java in Web browsers.

49 Reader Comments

Makes you wonder if Oracle (or Sun before them) would fix this vulnerability and then say "Ok. NOW we're 100% secure." only to be proved wrong a little while later. So maybe Oracle should take this moment to do their own code audit for security holes.

Makes you wonder if Oracle (or Sun before them) would fix this vulnerability and then say "Ok. NOW we're 100% secure." only to be proved wrong a little while later. So maybe Oracle should take this moment to do their own code audit for security holes.

Yeah, one would kind of hope they would have gotten that message, but so far it seems not! lol.

Oracle's core client, and source of revenue, are politically connected and not-so-tech savvy (at least not with tech from this century....) IT managers or CIOs of large companies. They buy into the Oracle brand and give them 6-8 figure licensing fees, sight unseen. The benchmark for quality in this world of theirs isn't security or best practice or generally speaking good solid code. The benchmark for quality is the features. What the product will bring to the table, how well it would integrate into the business flow and improve said business flow, and how much more revenue the company would earn if they implemented said product.

They really don't look at the quality of code or the soundness of the backend. Hacked together spaghetti code churned out by bad devs, or best practices complaint code, it doesn't matter. Esoteric security vulnerabilities such as buffer overflows, they matter even less. It's all about the features, the slick presentation given by the vendors' sales guys, and the support agreements. That's what's looked at before the sale.

Makes you wonder if Oracle (or Sun before them) would fix this vulnerability and then say "Ok. NOW we're 100% secure." only to be proved wrong a little while later. So maybe Oracle should take this moment to do their own code audit for security holes.

Maybe now is the time for Oracle to have _someone else_ do a code audit for security holes.

Ugh, I really hate sandboxing stuff whenever possible, but it looks like I'll have no choice and use my license of VM Ware when playing on my friends MC server. I really wish 4J Studios or Mojang would make a pure C++ rendition of the game.

You can disable Java in the browser without removing your ability to run downloaded Java applications. C++ is no safer than Java, it's just that you don't download arbitrary C++ code and run it in your browser.

Makes you wonder if Oracle (or Sun before them) would fix this vulnerability and then say "Ok. NOW we're 100% secure." only to be proved wrong a little while later. So maybe Oracle should take this moment to do their own code audit for security holes.

Maybe now is the time for Oracle to have _someone else_ do a code audit for security holes.

Their CSO has a pride problem. Pride goeth before a fall...

Edit: I'm not just making this up. She has very publicly trash talked hiring outside security auditors.

Ugh, I really hate sandboxing stuff whenever possible, but it looks like I'll have no choice and use my license of VM Ware when playing on my friends MC server. I really wish 4J Studios or Mojang would make a pure C++ rendition of the game.

This is another java in the webbrowser issue. Your stand alone java apps should be safe.

Oracle's core client, and source of revenue, are politically connected and not-so-tech savvy (at least not with tech from this century....) IT managers or CIOs of large companies. They buy into the Oracle brand and give them 6-8 figure licensing fees, sight unseen. The benchmark for quality in this world of theirs isn't security or best practice or generally speaking good solid code. The benchmark for quality is the features. What the product will bring to the table, how well it would integrate into the business flow and improve said business flow, and how much more revenue the company would earn if they implemented said product.

They really don't look at the quality of code or the soundness of the backend. Hacked together spaghetti code churned out by bad devs, or best practices complaint code, it doesn't matter. Esoteric security vulnerabilities such as buffer overflows, they matter even less. It's all about the features, the slick presentation given by the vendors' sales guys, and the support agreements. That's what's looked at before the sale.

I wish I were exaggerating, but I'm not in the slightest.

The problem, as MS has discovered, is that while it takes a long time for badly handled serial exploits to hurt your business; it takes just as long for your business to recover once the damage is done.

I really want to like java as a language, but the constant reminders of it's inability to remain secure in the browser make me wonder if there is a language out there that is a bit more secure. Java web applets seem like they were an idea that sounded good on paper, but ended up being terrible in practice. Java as an offline coding platform is robust and flexible, but as a web platform it seems to have an attack surface the size of the moon. What other options are available, that aren't too exotic in terms of syntax/methods?

People are using JavaScript and HTML 5 for apps now, to the extent possible. ActiveX (compiled Windows binaries) didn't make it in the market, and there's no other significant, open, sandboxed language that I know of that is getting any use on the web other than JavaScript inside the browser.

Oracle's core client, and source of revenue, are politically connected and not-so-tech savvy (at least not with tech from this century....) IT managers or CIOs of large companies. They buy into the Oracle brand and give them 6-8 figure licensing fees, sight unseen. The benchmark for quality in this world of theirs isn't security or best practice or generally speaking good solid code. The benchmark for quality is the features. What the product will bring to the table, how well it would integrate into the business flow and improve said business flow, and how much more revenue the company would earn if they implemented said product.

They really don't look at the quality of code or the soundness of the backend. Hacked together spaghetti code churned out by bad devs, or best practices complaint code, it doesn't matter. Esoteric security vulnerabilities such as buffer overflows, they matter even less. It's all about the features, the slick presentation given by the vendors' sales guys, and the support agreements. That's what's looked at before the sale.

Java was respected and trusted when Sun Microsystems owned it. Java was doomed when Larry Ellis, owner of Oracle, managed to buy out Sun Microsystems. Larry was never a supporter of Java and thus do not care about it. He has always been a cowboy in the IT industry and only care about accumulating money. I recall when he demonized Bill Gates publicly back in the 90s at an IT conference in Europe. I personally never trusted Oracle because of Ellis. Java seems to have been vulnerable since it has been owned by Oracle. The IT community should also question Open Office as it is was also acquired in the purchase of Sun.

Oracle's core client, and source of revenue, are politically connected and not-so-tech savvy (at least not with tech from this century....) IT managers or CIOs of large companies. They buy into the Oracle brand and give them 6-8 figure licensing fees, sight unseen. The benchmark for quality in this world of theirs isn't security or best practice or generally speaking good solid code. The benchmark for quality is the features. What the product will bring to the table, how well it would integrate into the business flow and improve said business flow, and how much more revenue the company would earn if they implemented said product.

They really don't look at the quality of code or the soundness of the backend. Hacked together spaghetti code churned out by bad devs, or best practices complaint code, it doesn't matter. Esoteric security vulnerabilities such as buffer overflows, they matter even less. It's all about the features, the slick presentation given by the vendors' sales guys, and the support agreements. That's what's looked at before the sale.

Oracle's core client, and source of revenue, are politically connected and not-so-tech savvy (at least not with tech from this century....) IT managers or CIOs of large companies. They buy into the Oracle brand and give them 6-8 figure licensing fees, sight unseen. The benchmark for quality in this world of theirs isn't security or best practice or generally speaking good solid code. The benchmark for quality is the features. What the product will bring to the table, how well it would integrate into the business flow and improve said business flow, and how much more revenue the company would earn if they implemented said product.

They really don't look at the quality of code or the soundness of the backend. Hacked together spaghetti code churned out by bad devs, or best practices complaint code, it doesn't matter. Esoteric security vulnerabilities such as buffer overflows, they matter even less. It's all about the features, the slick presentation given by the vendors' sales guys, and the support agreements. That's what's looked at before the sale.

Oracle is way, way more than just the database these days. It's really a misrepresentation to say the DB is their core product because it makes them sound like just a database company. They have a very wide array of enterprise applications in their fold. There is a decent chance your companies financials and HR systems use an oracle product that isn't a database for instance.

*Personal pref here but I'd still rather run Informix for OLTP stuff and Teradata for data warehouse work over Oracle.

People are using JavaScript and HTML 5 for apps now, to the extent possible. ActiveX (compiled Windows binaries) didn't make it in the market...

Those of us with longer memories will be quick to point out that ActiveX seemed to have just as many vulnerabilities in its heyday as Java seems to have today. I'm not necessarily defending Microsoft, Oracle, Sun, Apple or anyone else... but the fact of the matter is, vulnerabilities can almost always be found in compiled code, no matter how hard the developers bang on it. In fact, if there are any surprises here at all, it's that Java has managed to escape the attention of hackers/crackers for as long as it did, before becoming their primary target... especially given it's cross-platform nature.

I live in Norway where all the bank use a system for logging on to your account called BankID. This system use Java. Today, Apple has blocked Java in Safari compleatly. Firefox did not work either. But luckily I have activated BankID via mobile phone. That worked, but I think a lot of people here in Norway will run in to problems with this situatuion.

Ugh, I really hate sandboxing stuff whenever possible, but it looks like I'll have no choice and use my license of VM Ware when playing on my friends MC server. I really wish 4J Studios or Mojang would make a pure C++ rendition of the game.

This is another java in the webbrowser issue. Your stand alone java apps should be safe.

I live in Norway where all the bank use a system for logging on to your account called BankID. This system use Java. Today, Apple has blocked Java in Safari compleatly. Firefox did not work either. But luckily I have activated BankID via mobile phone. That worked, but I think a lot of people here in Norway will run in to problems with this situatuion.

Well, this adds insight into why the Java vulnerability was so profoundly exploited!

^^ That's true (to ChrisC). We use their CRM and are about to implement their ERP.

The CRM promises much and delivers some, but the underlying code is horrendous. The client-facing apps, those that integrate with Outlook and those that users have on their desktop to access data with, are soo bad I haven't got the words to express how bad they are. The users are clueless of course and they just use what's been given to them. But from where I sit, I can't deploy this shit from a centralized software deployment point. It must be installed by hand on each PC! Not only that, but it must be installed by the user who will run it, and they must be administrator. If we installed it with a different admin account, and then have the user log in, the damn thing would not work. This is precisely what I was talking about earlier. Our CRM "works" if you asked my boss or his bosses, but from where I sit it is unmitigated garbage.

As for ERP, jury is still out because we are in the early stages of deploying that. So far we've been told that it'd support one crucial feature we need, only to find out that it does so only if we purchased a separate 3rd party application. Also, we've been told we could leverage IIS for front end, and now we are finding out we have to use WebLogic (Java EE and rebranded Apache). How long do you think before an Apache-proper security patch were ported over and made available for this? 6 month delay? A year? Meanwhile we are vulnerable. That's what I have to worry about.

I live in Norway where all the bank use a system for logging on to your account called BankID. This system use Java. Today, Apple has blocked Java in Safari compleatly. Firefox did not work either. But luckily I have activated BankID via mobile phone. That worked, but I think a lot of people here in Norway will run in to problems with this situatuion.

Well, this adds insight into why the Java vulnerability was so profoundly exploited!

On a semi-related topic... This reminds me of a bank would be customer of ours not long ago. They didn't want to utilize our native product but wanted our light weight product which required at least Flash 10 to function (11 wasn't out at this time). They however then stated that they couldn't use it because their systems are only approved for Flash 7 (or some amazingly old version) and that they would need to us to relax our Flash 10 requirement. In other words computers at the bank, ones with external and internal access, had rather old security hole riddled versions of Flash installed and they didn't allow later versions to be installed. Heck having flash installed at all would make me very nervous.

I sure hope they had some proxy, etc. protection in place with white lists for sites that could actually deliver flash content.

It's amazingly expensive, amazingly and unnecessarily difficult to setup and monitor, and their development and management tools are so mind-blowingly pathetic I want to stab myself in the neck on a daily basis.

Other than that, for the past two major versions it has had a bigger default attack surface than its competitors, has more non-relational features that allow dumb developers to grind it into a pulp and has less forward support commitment than any other DBMS.

You can disable Java in the browser without removing your ability to run downloaded Java applications. C++ is no safer than Java, it's just that you don't download arbitrary C++ code and run it in your browser.

People are using JavaScript and HTML 5 for apps now, to the extent possible. ActiveX (compiled Windows binaries) didn't make it in the market, and there's no other significant, open, sandboxed language that I know of that is getting any use on the web other than JavaScript inside the browser.

Java was respected and trusted when Sun Microsystems owned it. Java was doomed when Larry Ellis, owner of Oracle, managed to buy out Sun Microsystems. Larry was never a supporter of Java and thus do not care about it. He has always been a cowboy in the IT industry and only care about accumulating money. I recall when he demonized Bill Gates publicly back in the 90s at an IT conference in Europe. I personally never trusted Oracle because of Ellis. Java seems to have been vulnerable since it has been owned by Oracle. The IT community should also question Open Office as it is was also acquired in the purchase of Sun.

You mean Ellison.

I've never had much respect for Java, but Sun definitely gave more of a damn about it than Oracle does.

Someone should point out that Oracle reminds people this issue only exists in JDK 7... Also known as the Post-Sun or A.O. (After Oracle) era of Java.

So for Oracle to remind us this is only an issue with Oracle's vision of Java is pretty damning if you ask me. Do they think before they speak? They obviously don't think before they commit code or you wouldn't see the resurfacing of a previously patched exploit.

We all knew it was a sad day for Java when Oracle took over, and many didn't have much hope for it when it was still with Sun to begin with.

I really want to like java as a language, but the constant reminders of it's inability to remain secure in the browser make me wonder if there is a language out there that is a bit more secure. Java web applets seem like they were an idea that sounded good on paper, but ended up being terrible in practice. Java as an offline coding platform is robust and flexible, but as a web platform it seems to have an attack surface the size of the moon. What other options are available, that aren't too exotic in terms of syntax/methods?

This is not a problem with the language, but a problem with the implementation of the framework API's. I still prefer Java to C#, mainly because it has checked exceptions. Otherwise, the two are very similar.

And, you are correct. Java Applets can be powerful, and that is exactly the problem. With great power comes great responsibility, right? Unfortunately, Oracle is not high on my list of "responsible" companies. They've long had a reputation of flexible, and questionable, ethics.